Hacking the iPhone

Adam L. Penenberg
Fastcompany.com, 11/2007

WHILE RESEARCHING FAST COMPANY’S December/January cover story I ran across a startling claim: some computer security professionals were boasting that they could turn an iPhone into a piece of spyware that can intercept a target’s voice mail and e-mail, hijack its Safari browser, and even surreptitiously record conversations, all without the owner’s knowledge. H D Moore, Director of Security Research for BreakingPoint Systems, even posted a detailed primer. Given Apple’s own marketing, which boasts that Macs are more secure — and more virus-resistant — than PCs, the fact the iPhone could be hacked seemed newsworthy.

Of course, the Web is rife with braggadocio, and just because a few computer engineers could gin up an obscure software exploit or two didn’t mean anyone had actually unleashed any. Still, my editors and I wondered just how vulnerable is the “Jesus Phone” to an unscrupulous hacker? Could it really be turned into a tool of espionage?

So we purchased an iPhone for Rik Farrow, a UNIX specialist and consultant from Sedona, Arizona, and commissioned him to crack through its defenses, which he did using H D Moore’s Metasploit, a popular platform for testing security systems. The result is this video, in which Farrow was able to take complete control of an iPhone and demonstrate the ability to eavesdrop on conversations, intercept voice mail and e-mail, and upload nefarious software programs. “Physical access to an iPhone,” Farrow points out, “is not required.” Although in Farrow’s demo the Wi-Fi was turned on — common enough for iPhone users, since AT&T’s EDGE network makes Web surfing slow and laborious — Moore says his exploit can work on EDGE, too.

Now, our lawyer would like us to emphasize that Farrow was careful not to offer a cookbook, or how-to guide, on how to hack Apple’s touch screen marvel. He just showed what was possible. And we would also like to point out that the iPhone is no worse from a security perspective than other smartphones. Most, including those made by Motorola, Nokia, Samsung, and Sony Ericsson run on the Symbian operating system, which has been targeted by dozens, if not hundreds, of viruses (it’s hard to know just how many). Windows Mobile and Linux, which have scant mobile market share, are also vulnerable to digital influenza. The more these devices can do, the more complex their software systems become, the more attack surfaces they offer.

As for the iPhone, however, Apple engineers have made it easier to attack by running all software applications as “root,” which means they offer the same full-system privileges. Locate a security flaw in one — say, e-mail or the Web browser — you can control them all. Standard security protocol dictates providing layers of protection to guard against this, which the iPhone does not. Farrow believes the most likely explanation for that is Apple’s rush to get the device to market — and it is true that Steve Jobs pulled engineers off the development of the company’s new Leopard operating system to hurry the iPhone along.

As a result, there are a number of ways to exploit the iPhone’s defenses. If you know your target’s phone number, you could text message a link to a malicious Website, which would covertly install a third-party application executing malicious code. The corollary would be to send your target an e-mail with a nefarious attachment; he clicks on it and the attacker “owns” the phone. Or there’s always the “man-in-the-middle” (MITM) attack, which is perhaps the most James Bondian: You sit in, say, Starbucks with a laptop set up, as part of the ruse, to operate as a Wi-Fi access point, so a target’s Web browsing and e-mail pass through your computer first. (How can you tell who has an iPhone as opposed to someone with a standard laptop, rival smartphone, or PDA? Simple — the exploit only works on iPhones.) “This method would allow exploitation of any application that downloads images from the Internet,” Moore says. “This covers standard Web-browsing using Safari, but also includes the iTunes Music Store, the YouTube video browser, and the Google Maps application.”

But before you stash your iPhone in a drawer, realize there isn’t much value in attacking smartphones a la carte. “Taking over a PC allows you to install spam distribution servers that shoot out ads,” says Daniel Eran Dilger, a San Francisco-based technical consultant and contributing editor to AppleInsider. “There’s no real business model behind the kind of spy surveillance imagined by many writers.” And Apple (which declined to comment), in its latest patch, inoculated the iPhone against the Metasploit that Farrow used. But in the cat-and-mouse game that hackers and companies like Apple play, you can be sure someone somewhere is hatching up new schemes to hack the iPhone. Perhaps they already have.

Copyright 2007 Adam L. Penenberg (penenberg.com)